CVE-2023-32115 : An attacker can exploit MDS COMPARE TOOL and use specially crafted inputs to rea

An attacker can exploit MDS COMPARE TOOL and use specially crafted inputs to read and modify database commands, resulting in the retrieval of additional information persisted by the system.

Published 2023-06-13 03:15:09

Updated 2023-06-26 13:55:12

Source SAP SE

View at NVD, CVE.org

Vulnerability category: Sql Injection

Products affected by CVE-2023-32115

SAP » Master Data Synchronization » Version: 600
cpe:2.3:a:sap:master_data_synchronization:600:*:*:*:*:*:*:*
Matching versions
SAP » Master Data Synchronization » Version: 602
cpe:2.3:a:sap:master_data_synchronization:602:*:*:*:*:*:*:*
Matching versions
SAP » Master Data Synchronization » Version: 603
cpe:2.3:a:sap:master_data_synchronization:603:*:*:*:*:*:*:*
Matching versions
SAP » Master Data Synchronization » Version: 604
cpe:2.3:a:sap:master_data_synchronization:604:*:*:*:*:*:*:*
Matching versions
SAP » Master Data Synchronization » Version: 605
cpe:2.3:a:sap:master_data_synchronization:605:*:*:*:*:*:*:*
Matching versions
SAP » Master Data Synchronization » Version: 606
cpe:2.3:a:sap:master_data_synchronization:606:*:*:*:*:*:*:*
Matching versions
SAP » Master Data Synchronization » Version: 616
cpe:2.3:a:sap:master_data_synchronization:616:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2023-32115

EPSS FAQ

0.14%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 35 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-32115

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source
4.2	MEDIUM	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N	1.1	2.7	SAP SE
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Changed Confidentiality: Low Integrity: Low Availability: None
6.1	MEDIUM	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N	1.8	4.2	NIST
Attack Vector: Local Attack Complexity: Low Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: Low Availability: None

CWE ids for CVE-2023-32115

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Assigned by: cna@sap.com (Primary)

References for CVE-2023-32115

https://launchpad.support.sap.com/#/notes/1794761

SAP ONE Support Launchpad: Log On
Permissions Required
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

SAP Patch Day Blog
Vendor Advisory

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2023-32115

Products affected by CVE-2023-32115

Exploit prediction scoring system (EPSS) score for CVE-2023-32115

CVSS scores for CVE-2023-32115

CWE ids for CVE-2023-32115

References for CVE-2023-32115